A password hash generated using algorithms like MD5, BSD, SHA1 or other default hashing algorithm is said be a weak hash, since there are known attacks. Its important to using a hashing algorithm like SHA-2 ( SHA-224, SHA-256, SHA-384, SHA-512 ) since till date there are no known attacks. On a UNIX based operating system , passwords are hashed and stored in either /etc/passwd or /etc/shadow file. If the /etc/shadow file is missing on the system, it can be generated by running the command pwconv, which will move the password hashes from /etc/passwd to /etc/shadow and then place character 'x' as a placeholder in passwd file - indicating that the password hash is stored in shadow file.

Linux/Unix systems must employ password hashes using the SHA-2 family of algorithms or FIPS 140-2 approved successors. Use of unapproved algorithms may result in weak password hashes, which are more vulnerable to compromise. Check /etc/passwd and /etc/shadow file for password hashes. Typically /etc/passwd file looks like:

The hash will always begin with a 3 letter identifier - indicating the hashing algorithm. Format of password hash will be "$id$salt$hashed", where $id is the algorithm used. Below table should help :

Alogrithm used

Hashed value starts with

BSDi

_

MD5

$1$

Blowfish

$2$, $2a$, $2x$ or $2y$

NT Hash

$3$

SHA1

$4$

SHA2 (256 or 384 bits)

$5$

SHA2 (512 bits)

$6$

Typically /etc/shadow file looks like :

So the easiest way to find out weak password hashes is by analyzing the first 3 characters of the password placeholder field as shown above. You can use a simple shell script to detect this. Before doing this you need to know about some special characters which are never present in a password hash string. Below are the important character sequences:

"NP" or "!" or null - No password, the account has no password.
"LK" or "*" or "*LK*" - the account is Locked, user will be unable to log-in
"!!" - the password has expired

Our shell script should skip such password hashes and only report those which are actual hashes using weak hashing algorithms. Read the files /etc/passwd and /etc/shadow line by line and use the below code to analyze the hash.